In an update from the Equifax data breach in 2017, the company reported to the Securities and Exchange Commission that while no new breaches occurred and no new customers were affected, a total of 2.4 million personally identifiable information (PII) were collected from the 2017 attack. The image storage server where customers upload scans of documents for their online dispute portal was also hacked, which included passports and other government-issued IDs.

Equifax submitted the report at the request of the congressional committees investigating the cybersecurity incident to determine the depth and extent of the breach. The initial report in September 2017 estimated that the breach exposed records of 145.5 million US citizens and 15.2 million in the UK. After organizing and classifying their internal databases, analysis yielded that the PII collected by the hackers include dates of birth, social security numbers (SSN), addresses, phone numbers, email addresses, driver’s license numbers, tax identification numbers, and credit card data, among others. The report filed late last week yielded more specific details:

Data Element Stolen

Approx. Number of Affected US Consumers

Name

146.6 million

Date of Birth

146.6 million

SSN

145.5 million

Address Information

99 million

Gender

27.3 million

Phone Number

20.3 million

Driver's License Number

17.6 million

Email (w/o credentials)

1.8 million

Payment Card No. and Expiration Date

209,000

Tax ID

97,500

Driver's License State

27,000

The report states that no additional breaches and no additional customers were affected since the September 2017 announcement. However, aside from the database information accessed by the cybercriminals, the online dispute portal was also breached, exposing images uploaded by approximately 182,000 US consumers. From the company review details the approximate number of government-issued IDs uploaded:

Government-Issued ID

Approx. Number of Images Affected

Driver's Licese

38,000

SS or Tax ID Card

12,000

Passport or Passport Card

3,200

Others (Military IDs, Resident Alien Cards, Stte-Issued IDs)

3,000

While individual customers were initially notified after the public announcement late last year, Equifax wrote that the affected consumers will receive notifications by US Postal mail, identifying the PII included in the breach, except for those whose gender, phone numbers and email addresses were collected as US notification laws do not require it. The company also announced on their website that they will be offering identity theft protection and credit file monitoring to affected customers at no cost. Customers can also access the website for the “Am I Impacted” tool to find out if their information is among the list of affected records.

The data breach was traced back to a security program vulnerability that Equifax failed to patch. It has since become an example for businesses to improve their data handling, management, and protection policies. Here are some guidelines enterprises can follow to prevent a similar incident:

Organize and classify data, so that only the people trained and authorized to handle sensitive information have access to relevant details.

Have alternative systems of authentication inside the company and for customers. PII are often used by businesses to verify individuals’ identities, and SSNs have been especially abused over time. Other verification methods should be explored to create variation and make it systems more difficult to breach.

Trend Micro XGen™ endpoint security can provide comprehensive protection on all fronts as it infuses high-fidelity machine learning with detection technologies and threat intelligence against advanced and sophisticated malware. Trend Micro™ Security, Smart Protection Suites and Worry-Free™ Business Security are solutions inside XGen™, and works 24/7 to protect companies from malicious files commonly used by cybercriminals for infiltration during data breaches.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions